Video Screencast Help

Is the linux of Universal server considered hardened?

Created: 22 Nov 2012 • Updated: 26 Nov 2012 | 5 comments
This issue has been solved. See solution.

Could anyone tell me the answer as below

  Is the linux of Universal server considered hardened (based on the principle that unnecessary services are disabled, security related settings applied & strong access control etc)?

How it is hardened – (based on a hardened installation from the vendor or by an additional process applied to the system, e.g. running a script)?

 

Thank you.

Comments 5 CommentsJump to latest comment

dfinkelstein's picture

PGP Universal is based on CentOS but it is not an "application" running on top of CentOS.  We do the hardening ourselves.   We do not install packages we do not need, we do not enable services that aren't needed, and we we set up firewall rules to restrict access as appropriate.  There are no "users" of the system per se; you cannot log into the console and ssh access must be explicitly configured.  The only way to interact with it is through the administrative web interface or through one of the enabled services.

With every release we run penetration tests and we regularly update packages to address vulnerabilities that get reported against those packages (e.g. in OpenSSL, DNS, the Linux kernel, etc.)

Regards,

--------

David Finkelstein

Symantec R&D

enzo@dynasafe.com.tw's picture

Hi Dfinkelstein

Thank you for your respond. Our customer ask for some official answer. Do symantec has any official announce or document to prove or describe hardening of PGP Universla server. If there is, could you offer that to me?

BR,
Enzo

dfinkelstein's picture

That's a great question but I don't know the answer offhand.  I'll ask the lead documentation writer for PGP Universal if there is one, and if not, I'll work with the Product Manager to see that one is produced.

Regards,

 

--------

David Finkelstein

Symantec R&D

enzo@dynasafe.com.tw's picture

Hi Dfinkelstein,

Thanks again.

I'm curious about how often or when  cluster members synchronize with each other?

Is there command I can use in a script to force cluster member to sychronize in a period?

BR,

Enzo

SOLUTION
dfinkelstein's picture

By default, cluster members send heartbeat messages to each other every 10 seconds.  The receiving server processes the heartbeat message (which contains high watermark information) and responds to any differenece by making requests for the new data.

The heartbeat messsage interval is configurable but it is not something that you can change from the management console.  If you feel that synchronization isn't working properly in your environment, or that you otherwise need to run some script to manually force synchronization, you should contact Symantec Technical Support and they will assist you.

Regards,

 

--------

David Finkelstein

Symantec R&D